Intel Patching its 'Zombieload' CPU Security Flaw for the Third Time
Intel Patching its 'Zombieload' CPU Security Flaw for the Third Time
Intel responded to criticism from security researchers saying that major steps were being adopted to minimise the danger the flaws represent to its processors.

Intel has announced that it is going to release another software update for its processors designed to fix two more flaws that it calls microarchitectural data sampling (MSD) or 'zombieload.' The company said that the update is expected in the coming weeks and would resolve issues, which have possibly persisted even after Intel released MDS patches in May and November last year. According to MDS attack, neither of the two "new" RIDL/MDS variants is "novel or interesting" and they are “more RIDL” (focusing on ways to get data into microarchitectural buffers RIDL can leak from). RIDL is Rogue In-Flight Data Load.

The first issue, which Intel refers to is that L1DES, doesn't work on the company's recent chips. Intel also states that the company is "not aware" of anyone taking benefits of the flaws outside of the lab. When Intel issued a second MDS patch in November last year, security researchers began to criticise Intel. "We spent months trying to convince Intel that leaks from L1D evictions were possible and needed to be addressed," MDSattacks said in Addendum 2 to RIDL.

The addendum further said, "We reiterate that RIDL-class vulnerabilities are non-trivial to fix or mitigate, and current 'spot' mitigation strategies for resolving these issues are questionable. Moreover, we question the effectiveness of yearlong disclosure processes and also raise concerns on their disruptive impact on the academic process".

Intel responded to the criticism, saying that several major steps were being adopted to minimise the danger the flaws represent to its processors. "Since May 2019, starting with Microarchitectural Data Sampling (MDS), and then in November with TAA, we and our system software partners have released mitigations that have cumulatively and substantially reduced the overall attack surface for these types of issues," Jerry Bryant, Director of Communications, Intel Product Assurance and Security said. He further added, "We continue to conduct research in this area – internally, and in conjunction with the external research community".

What's your reaction?

Comments

https://kapitoshka.info/assets/images/user-avatar-s.jpg

0 comment

Write the first comment for this!